Re-, Thanks all for the positive feedback received so far.
Start with framing the problem and identifying the list of issues to address looks like a good idea. @Arnaud, if you can draft something to iterate on, this would be helpful. Thank you. Cheers, Med > -----Message d'origine----- > De : EBALARD Arnaud <[email protected]> > Envoyé : mercredi 8 octobre 2025 10:46 > À : BOUCADAIR Mohamed INNOV/NET <[email protected]>; > Douglas Gash (dcmgash) <[email protected]>; [email protected] > Objet : RE: draft-dahm-opsawg-tacacs-security: update plan? > > > Hi all, > > I'll happily take part in the discussion. > > I think it would be useful to have some kind of shared problem > statement (not necessarily a separate document) so that we all > agree both on the issue and the goals of that work. Then, some > possible solutions should be considered based either on IETF > previous work (e.g. draft-dahm-opsawg-tacacs-security) and/or > other initiatives (some vendors are currently pushing in their > products the ability to use SSH certificates for authentication > coupled w/ tacacs+ for authorization based on the identity in the > certificate). I can try and start a list of topics to be addressed > if you think it would help (authorization-only vs > authentication+authorization, revocation, ability to support HTTPS > w/ X.509 client authentication and not only SSH, etc.). > > Cheers, > > Arnaud > > -----Message d'origine----- > De : [email protected] <[email protected]> > Envoyé : mercredi 8 octobre 2025 08:50 À : EBALARD Arnaud > <[email protected]>; Douglas Gash (dcmgash) > <[email protected]>; [email protected] Objet : [OPSAWG]draft-dahm- > opsawg-tacacs-security: update plan? > > Hi all, > > Now that we are about close to get the TACACS+TLS RFC out of those > door, I'd like we start discussing (and hopefully converge on a > plan) about how to address a key pending operational issue that we > recorded in the T+TLS spec: > > This document concerns the use of TLS as transport for TACACS+, > and > does not make any changes to the core TACACS+ protocol, other > than > the direct implications of deprecating obfuscation. Operators > MUST > be cognizant of the security implications of the TACACS+ > protocol > itself. Further documents are planned, for example, to address > the > security implications of password based authentication and > enhance > the protocol to accommodate alternative schemes. > > See also the discussion in [1]. > > Some of these points can be addressed by refreshing draft-dahm- > opsawg-tacacs-security. > > Thoughts, suggestions, and volunteers to drive this work are > welcome. > > Cheers, > Med > > [1] > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > mailarchive.ietf.org%2Farch%2Fmsg%2Fopsawg%2FneElBSTsv4s64434gN8MC > aqZLCk%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C8ede2ce7 > 7ec747ae3fec08de064732ec%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C > 0%7C638955100056250734%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnR > ydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyf > Q%3D%3D%7C0%7C%7C%7C&sdata=iLdupeEGJZx48OsbD46LnPbcmO9J3BCDCpt669O > P4%2Fg%3D&reserved=0 ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
